Openfire SSO Problem - Authorization failed


I am writting you due to our recent problems with Openfire. Everything went well till last month. Openfire is running but Miranda clients are no longer able to connect to Openfire. It says that Authorization Failed. We are running in Windows environment using SSO. We had version 3.8.2, also tried with 3.10 - same problem. When I remove system properties for SSO, I can login manually with my AD credentials. Openfire log shows this but I am not sure that it is the problem, my colleague says he has seen that before:

Openfire Log
2015.04.29 15:29:48 org.jivesoftware.openfire.handler.IQHandler - Internal server error

java.lang.IllegalArgumentException: The input is not a valid JID resource:

at org.xmpp.packet.JID.resourceprep(

at org.jivesoftware.openfire.handler.IQAuthHandler.login(

at org.jivesoftware.openfire.handler.IQAuthHandler.handleIQ( )

at org.jivesoftware.openfire.handler.IQHandler.process(

at org.jivesoftware.openfire.IQRouter.handle(

at org.jivesoftware.openfire.IQRouter.route(

at org.jivesoftware.openfire.spi.PacketRouterImpl.route(


at .java:93)



at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl

Our gss.conf looks like this:

gss.conf {



keyTab=“C:/Program Files (x86)/Openfire/resources/xmpp.keytab”







and our System Properties are:

System Properties
sasl.gssapi.config C:\Program Files (x86)\Openfire\conf\gss.conf
sasl.gssapi.debug false
sasl.gssapi.useSubjectCredsOnly false
sasl.mechs GSSAPI
sasl.realm CFME.LOCAL

We have changed nothing, I wonder if it can be caused by Windows Updates. If I can provide any more information, please just let me know.

Thank you very much!

what version of java are you using with openfire? does miranda use java too? if so, what version of java?



sorry for late answer. We had holidays. Miranda does not use Java. Web interface of Openfire says 1.7.0_76 Oracle Corporation – Java HotSpot™ Client VM

I would first try another client, to rule out it being a miranda issue. try spark 2.7


so I tried Spark but with no success with SSO

It could be a number of things. has your domain level changed? new DC? is DNS working ok? did you verify your krb5.ini files? Make sure you SPN account used isn’t locked out. Maybe regen your keytab file.

That is the problem. Nothing has changed. Same domain level, no new DC. DNS is working properly. For ensure I am posting krb5.ini:


default_realm = CFME.LOCAL

noaddresses = true



kdc = server.cfme.local

default_domain = cfme.local


I am thinking… could be a problem with more IP addresses? Because there is IIS with IP address for SSL web? But DNS is set up correctly